You can set up groups, roles, and permissions for many purposes, such as populating and administering standing committees, ad hoc research teams, departments, or classes. Gives you a single point of control Once a person is added or removed from a group, the group-related privileges are automatically updated in all of your collaborative applications.
Grouper enables efficient management of the membership roster at a single point. A researcher to enable members to participate in an email list or view a website.
Grouper is at the center of all group and access policy management. Managing access with Grouper results in access to target systems being automatically kept in sync with policy as subject attributes change in underlying systems of record (e.g. ERP, SIS, etc).
This overall mechanism coupled with powerful distributed management capabilities is what makes Grouper a core component of the Uncommon Trusted Access Platform. The Grouper project maintains three introductory videos that are a bit dated, but still very relevant.
The third and final in the series, Intro to Grouper : Grouper Toolkit Components, describes the various product components and capabilities, and options for integrating with existing campus IAM architecture. The University of Chicago VPN example described in the Intro to Grouper series, provides a great overview of how a variety of Grouper ’s capabilities come together to implement powerful access control management, and illustrates a common pattern that can be applied in many situations.
These are groups of subjects that share some characteristics, such as being a student, a postdoc, or a member of the IRB office. The IRB office reference group is kept up to date by directly adding or removing members via the Grouper UI.
Reference groups are institutional meaningful concepts and represent the best known “truth” about a subject at any given moment. Grouper provides a single point of management, enables groups to be defined once and reused across multiple applications, and empowers the right people to manage access.
Grouper is organized around three main concepts; folders, groups, and memberships. Intersection includes entities that belong to both of the original factor groups, and produces a composite “members-in-common”.
Complement includes subjects that belong to the primary “left” factor group who are not also members of the secondary “right” factor group (i.e. “left” minus “right”). A rule can detect actions, check conditions, and do resulting operations.
Each folder, group, and attribute has its own privilege assignments which enables fine-grained access control and delegation of authority. The Access Privileges definition in the Grouper glossary provides further details on what.
UID is opaque and unique to LDAP; standard unique identifiers are UA Username in Systemic in LDAP which is name based but may change as names change; and UA ID# or Banner ID in LDAP which unchanging numeric ID. I've met with the statewide AD admin 2012-07-27 and based on his input I'm proposing we use AD as the subject source; we'll search the Enterprise LDAP directory for buildings to create groups based on those users.
UID is opaque and not generally suitable except in two-step process: (1) search on name, or known unique identifier to obtain DN (like “UID=12wynpgyz01,of=people, dc=Alaska, dc=EU”), then (2) query for desired attributes in that DN. Install and configure Grouper (including relevant components) and integrate with their subject sources.
Each step documented in detail as source and/or narrative in the IAM wiki. Disable default grant read/view access on new group creations.
EPPN is built in the IDP from UA Username; it is already resolved for sending to multiple SPS. Each step documented in detail as source and/or narrative in the IAM wiki.
Probably depends on how long it takes to run the LDAP query and how many users there are. This could be turned into a composite group if UA wants to see that functionality demonstrated.
For both test environments, currently assuming that the member attribute for group objects will be populated. Incremental provisioning to LDAP will run through the Grouper Daemon.
All configuration changes will be documented as narrative or outline, and scripts / code / terminal sessions in subversion source repository. The Gas service supports institutional groups (maintained automatically by external processes) and ad hoc groups (managed by individuals and client applications of Gas).
Grouper is a group management toolkit funded by the NSF Middleware Initiative. The shell includes import and export tools and a mechanism to provision an LDAP directory.
The browser version is more intuitive and easier to use than the various API that come with Grouper. One obvious Gas implementation keeps most of the old application, a CGI, but replaces the LDAP library with something that interacts with Grouper.
A more propitious path employs a lightweight Spring MVC Java application as a facade to Grouper. Both the application, its template engine (Velocity) and Grouper are Java objects, making all the interfaces simpler and more efficient.
Responsiveness, reliability, redundancy Old Gas had no single point of failure. In order to provide our customary level of service a hybrid system seems advisable.
Grouper uses a colon as a separator of stem and group name parts. The new Gas will continue to use underscore separator and translate as needed.
Grouper has a strict distinction between stems (aka folders) and groups. The new Gas will continue this appearance by automatically managing stems as needed.
A stem with the same name as its group will be created to hold subgroups. However, Grouper now allows a moved (renamed) group to maintain its old name.
Old Gas did not require that a group's member or administrator actually exist anywhere. Whatever string of characters looked like a Until or some other acceptable name was fine.
Grouper requires one or more separate Subject databases in which any member or administrator must exist. Two external subject interfaces are provided: one to an LDAP directory; the other to an SQL database.
The LDAP subject adapter is inefficient, does not work conveniently with a directory that requires Sail EXTERNAL authentication, and provides neither continuous connections nor connection pooling. More to the point, this bifurcation forms a serious structural defect in Grouper.
There is no ability to use efficient database joins when searching or updating the registry. By caching what information we need from PDS in a table within Grouper's database we can provide quicker, more efficient and more efficacious registry queries and updates.
Similar tables and procedures can provide subject sources for DNS names and opens. We automatically provide many institutional groups: Affiliation, Budget, Classes, etc.
Use of Grouper's loader (import) results in the group being removed and replaced. The reconciliation process of old GDS (and Gas) directly updated the LDAP database.
Cache of netid-regid relationships processing of PDS LDIF in lieu of the XML file now distributed by EDS Membership changes to large groups (tens of thousands of members) tend to take a long time on an opened server.
Grouper's GUI uses a people picker mechanism to add members to a group. New Gas allows addition of members by Until, but provides a person picker for authorized users as a convenience.
Uses the LDAP library from Virginia Tech Uses persistent connections and connection pooling Allows convenient certificate (Sail) authentication Works with Up's two directory structure Account UUID (the subject's id) is in a separate Of from the subject's other attributes. Access Gas rather than the LDAP directory Specify account UUID (subject by id) memberships.
This has led to deployments which have tended towards similar functionality, but often diverge considerably in approach, terminology and implementation. Harmonizing Grouper deployments with common practice, vocabulary and strategies will make it easier for the community to work together towards common objectives, and improve Grouper more quickly over time.
New and existing Grouper deployments will find it easier to benefit from community experience, achieve Identity and Access Management (IAM) goals more quickly, and work together to build a robust TIER based IAM practice. Community input is now being considered, and the 1.0 version of the TIER Grouper Deployment Guide is scheduled to be published on April 21.
In Manifest, groups are located in folders (also known as a “Naming Stem” in Grouper -- the underlying software -- documentation). At Madison, we desire to have the folder structures in Manifest describe -- as best they can -- the general organization of the University of Wisconsin and who is responsible for a group, making it easier to find a group or it's owning organization.
Uw:domain or up:DOM The structure of DNS on campus gives relatively easy insight into to whom a set of groups belong, and by using DNS names we can reduce confusion and disagreement about what the name of a stem should be. Uw:org Groups that cross department/division boundaries that define organizationally interesting cohorts.
There are no hard-and-fast rules for what belongs where, and luckily no technical penalty for something being in the “wrong” place, other than perhaps confusing ourselves in the future. However, other people may see your group name without easy visibility to the folder it is in, so giving it a name that helps reduce confusion is the neighborly thing to do (CS Affiliates instead of simply Affiliates).
Names are intended for human consumption and are shown in the UI and some other interfaces. Like you, we have an ancient locally developed IAM system (person registry, provisioning).
We have determined that OIM does NOT contain functionality that is any way comparable to what grouper provides. I would call your attention, tho, to I2's recently announced TIER effort.
Over the next few years I2 expects to develop and make available an open source IDM/ IAM system. At UNC Charlotte, we have embarked on a multi-year effort to replace 35+ years of home-grown utilities, community knowledge, and human intervention with a commercial product for improved IAM business practice automation.
As we get deeper into the project, it appears that the group management features of Grouper are more robust than what the commercial product currently supports. The Grouper architecture diagrams show that integration with a separate Identity Management system is part of the overall scope, but I’m not finding specific references where Grouper users have actually undertaken that, and I am curious your experiences doing that.
We currently provide an overnight feed from our HR system (Workday) to Grouper. I'm curious others experiences with > integrating Grouper into an enterprise IAM framework.
Like you, we have an ancient locally developed IAM system (person registry, provisioning). We have determined that OIM does NOT contain functionality that is any way comparable to what grouper provides.
I would call your attention, tho, to I2's recently announced TIER effort. Over the next few years I2 expects to develop and make available an open source IDM/ IAM system.
> > At UNC Charlotte, we have embarked on a multi-year effort to replace > 35+ years of home-grown utilities, community knowledge, and human > intervention with a commercial product for improved IAM business > practice automation. As we get deeper into the project, it appears > that the group management features of Grouper are more robust than > what the commercial product currently supports.
The Grouper architecture diagrams > show that integration with a separate Identity Management system is > part of the overall scope, but I'm not finding specific references > where Grouper users have actually undertaken that, and I am curious > your experiences doing that. We currently provide an overnight feed from our HR system (Workday) to Grouper.
We have a pair of overnight feeds from our HR system and from our Faculty Information System to Grouper ; these feeds are used to manage a set of People groups for every Dept. Our Grouper instance uses a MSG BUS to provide real time updates to several target systems, including LDAP, google, and Canvas (our LMS system).
Union, Inc., a leading IT consulting services provider specializing in open source for the education market, today announced the expansion of its Identity and Access Management (IAM) practice to include new service offerings and new team members. Union has also added new team members to the practice, which is headed by Bill Thompson, IAM Director.
Union can assess the current IAM landscape and develop a roadmap to meet the needs of the institution. The team can leverage these technologies to create a secure IT infrastructure, meeting the needs of the institution.
Through this program, institutions gain access to a dedicated support team of expert developers and administrators, each possessing experience in the community project. Union is recognizing NC SAM by announcing this expansion, designed to continue to secure and manage access for their clients.
Union has published an IAM brochure, detailing the services and support offerings for the technologies involved in the practice. Union works closely with colleges, universities, and corporations to find the best solutions to meet their business challenges.
Union specializes in using open source technologies to deliver flexible and cost-effective systems in the areas of enterprise portals, learning management systems, identity and access management, online video, calendaring, email, mobile, and collaboration.